From b3ba9978cc42a5031c7b68e3cf917ec2e64643bc Mon Sep 17 00:00:00 2001
From: Marc Cornellà <hello@mcornella.com>
Date: Tue, 9 Nov 2021 09:54:21 +0100
Subject: fix(themes): fix potential command injection in `pygmalion`,
 `pygmalion-virtualenv` and `refined`

The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.

A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
---
 themes/refined.zsh-theme | 1 +
 1 file changed, 1 insertion(+)

(limited to 'themes/refined.zsh-theme')

diff --git a/themes/refined.zsh-theme b/themes/refined.zsh-theme
index 5d39bd757..5e2de7a87 100644
--- a/themes/refined.zsh-theme
+++ b/themes/refined.zsh-theme
@@ -70,6 +70,7 @@ preexec() {
 # Output additional information about paths, repos and exec time
 #
 precmd() {
+    setopt localoptions nopromptsubst
     vcs_info # Get version control info before we start outputting stuff
     print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f"
     unset cmd_timestamp #Reset cmd exec time.
-- 
cgit v1.2.3-70-g09d2